A flaw in Dahua IP Cameras allows full take over of the devices

A vulnerability, tracked as CVE-2022-30563, impacting Dahua IP Camera can allow attackers to seize control of IP cameras.

The CVE-2022-30563 vulnerability impacting Dahua IP Camera can allow attackers to seize control of IP cameras. The issue affects Dahua’s implementation of the Open Network Video Interface Forum (ONVIF).

ONVIF provides and promotes standardized interfaces for effective interoperability of IP-based physical security products.

The vulnerability was discovered by researchers from Nozomi Networks and received a CVSS score of 7.4.

“We’re publishing the details of a new vulnerability (tracked under CVE-2022-30563) affecting the implementation of the Open Network Video Interface Forum (ONVIF) WS-UsernameToken authentication mechanism in some IP cameras developed by Dahua, a very popular manufacturer of IP-based surveillance solutions.” reads the advisory published by Nozomi Networks. “This vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.”

ONVIF-conformant products allow users to perform a variety of actions on the remote device through a set of standardized Application Programming Interfaces (APIs), including watching camera footage, locking or unlocking a smart door, and performing maintenance operations.

The flaw resides in the “WS-UsernameToken” authentication mechanism implemented by Dahua in some of its IP cameras. Due to the lack of checks to prevent reply attacks, a threat actor can sniff an unencrypted ONVIF interaction and indefinitely replay the credentials in new requests towards the camera, which would be accepted as valid authenticated requests by the device.

Once obtained the credentials, an attacker can add an administrator account and use it to obtain full access to the device and perform actions such as watching live footage from the camera as shown below.

An attacker can conduct this attack by capturing one unencrypted ONVIF request authenticated with the WS-UsernameToken schema.

The following versions of Dahua video products, are affected:

• Dahua ASI7XXX: Versions prior to v1.000.0000009.0.R.220620
• Dahua IPC-HDBW2XXX: Versions prior to v2.820.0000000.48.R.220614
• Dahua IPC-HX2XXX: Versions Prior to v2.820.0000000.48.R.220614

The vendor addressed the issue with the release of a patch on June 28, 2022,

“In addition to building security, surveillance cameras are used throughout many critical infrastructure sectors such as oil & gas, power grids, telecommunications, etc. These cameras are used to oversee many production processes, providing remote visibility to process engineers. Threat actors, nation-state threat groups in particular, could be interested in hacking IP cameras to help gather intel on the equipment or production processes of the target company.” concludes Nozomi. “This information could aid in reconnaissance conducted prior to launching a cyberattack. With more knowledge of the target environment, threat actors could craft custom attacks that can physically disrupt production processes in critical infrastructure.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, IP Cameras)

[adrotate banner=”5″]

[adrotate banner=”13″]